The world of higher education is about to be turned on its head. This is due to the imminent enactment of the General Data Protection Regulation (GDPR) which will come into effect on 25th May 2018. It marks a new era in the world of personal data protection with accountability at its centre. Although the updating of data protection law is overdue and welcomed by consumers, it does put demanding responsibilities onto the shoulders of Chief Information Security Officers (CISOs) in higher education institutions across the UK.
True expertise in GDPR compliance is a rare commodity and few resident CISOs have had time to acquire the required skill set. For this reason, many are using the additional resource and support of specialists to ensure the compliance requirements are met and resilient strategies put in place. SRM’s GDPR team has operated in the information security environment for many years and our GDPR consultants have undergone GCHQ certified training and gained GDPR Practitioner certification. As such they are uniquely well–placed to advise on the strategic implementation of GDPR. Here, they identify the key issues facing the higher education sector.
It is important that everyone is aware of the changes that GDPR will bring. Vice Chancellors, executive boards, deans, academics and lecturers will all need to be aware of how the changes in data protection legislation will affect them. The mantle of data protection usually falls to the Chief Information Security Officer (CISO) who is likely to take on or oversee the role of Data Protection Officer (DPO), which is a requirement of GDPR. To ensure this is done effectively, the CISO will need to have senior-level influence, with the relevant knowledge and authority to manage the process or be given the financial resource to secure additional support and expertise from an industry professional or Virtual CISO service.
2. Information lifecycle audit
Institutions will be held more accountable for the data they hold. In addition to keeping records about what personal data exists with the organisation’s systems, GDPR requires a documented understanding of why information is held, how it is collected, when it will be deleted or anonymised and who has access to it. Data will include everything from phone records to employment details. Some information will be categorised as sensitive and some as non-sensitive and all this information needs to be mapped.
3. Incident Response
Keeping information secure is a primary requirement and there will be new obligations to report security breaches to the Information Commissioner’s Office (ICO) within 72 hours where it creates a risk to the affected individuals. This is likely to occur, for example, in cases of identity theft or financial loss and organisations will also be required to inform the individuals affected. Incident Response which outlines protocols to detect, investigate and respond to personal data breaches is an important element of this process.
4. Data Protection by Design
GDPR introduces new obligations on information-handling processes and the systems that are developed. Data protection should be built in with data privacy settings being the default. It is anticipated that GDPR will require ‘data protection by design’ to be extended to existing systems within three years. Formal data protection impact assessments should be undertaken as part of the design process.
5. Demonstration of consent
Not all data processing requires explicit consent, but where it is applicable, institutions need to be able to demonstrate that consent is ‘freely given, specific, informed and unambiguous’. This means individuals will need to specifically opt in, rather than simply fail to opt out.
6. Considering the necessity of data collection
Continuing with the concept of consent, institutions will be required to consider whether the collection of data and its processing is actually necessary. Recognised legal bases include contract, legal obligation, vital interest, public interest or legitimate interest of the organisation. If these apply then processes must meet the requirements of GDPR.
7. Reviewing privacy notices
When accessing individual’s personal data, these individuals must be informed of the legal basis for processing their data, the retention period and the individual’s rights to complain to the ICO if they consider there to be an issue. This will typically be in the form of a privacy notice.
8. Increased consumer expectations
High profile breaches have brought damaging publicity to a number of higher education institutions. With this heightened awareness comes an increased knowledge of the individual’s rights to data privacy. Those using an institution’s systems will expect to have their data protected and may challenge where this is not obviously being promoted. Communication about GDPR compliance will be a necessary aspect of the DPO role.
9. Ensuring an individual’s rights can be upheld
Under GDPR the rights of individuals have been enhanced. They include the right to subject access, having inaccuracies corrected, having information erased, data portability and the right to be excluded from direct marketing or automated decision-making and profiling.
10. Increased financial penalties
Under GDPR fines in the event of breaches are going to increase. GDPR raises the upper limit from the UK’s current £500,000 to as much as €20 million or 4% of turnover. This certainly brings GDPR and its ongoing compliance into sharp focus.
SRM’s GDPR team provides a business-focused service to organisations and higher education institutions of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses and higher education institutions operate, working with clients in the GDPR compliance process with the focus on delivering robust and effective compliance, not on selling products.
Ian Armstrong, GDPR specialist at Security Risk Management Ltd.